Blogs

About this blog

Welcome to the Application Performance Management Blog, where you can read the perspectives from APM experts. This Blog provides insights into the Application Performance Management solution, as well as technical details about specific IBM products.

Recent tweets

ITM Nuggets: Being locked out of the TEP client with an invalid username or password leads to headaches... here's the cure!

Its a Monday morning, you have a heap of work to get through and you cant log in to the TEP. Your presented with the dreaded "KFWITM393E" error... Don't reach for those painkillers....The below explains how to get you back on your feet fast!

In the coming weeks/months there will be a series of helpful tips and hits to help you correct problems and improve your ITM infrastructure.

When logging into the Tivoli Enterprise Portal (TEP) you are presented with the following error message:

There are several reasons why this error can occur. The solutions below will show you how to check and resolve the most common causes.

How the authentication process works:

There are 3 types of authentication available to users in ITM.

TEPS Authentication

TEMS Operating system / Validate User Authentication

LDAP Authentication

With all 3 types of authentication, access to the Tivoli Enterprise Portal is controlled by user accounts that are defined in the portal server. The user ID must have an account created in the portal server to be able to gain access. These IDs control which user are authorized to log into the TEP, and also define the permission's for what each user can do. (what each user can see, access and modify)

TEPS Authentication

Tivoli Enterprise Portal Server authentication is solely managed by the user IDs defined in the TEP. If a user is listed has an ID in this repository, then that user can log into the TEP without any password, only the user ID is required.

You can check which IDs you have listed in the TEPS, by logging in to the TEP console with a valid user and selecting the user icon shown below:

TEMS Operating system / Validate User Authentication
This type of authentication is user security that is enabled on the HUB TEMS (Tivoli Enterprise Monitoring Server). This type of authentication requires a password as well as a user ID to log in to the Tivoli Enterprise Portal.

Password authentication is controlled by the host of the HUB TEMS. When a user logs in to the Tivoli Enterprise Portal, the Portal Server queries the HUB monitoring server to validate the account and sends the encrypted user ID and password. The HUB monitoring server validates the account by sending a request to the operating system to ensure the userid and password is correct. The Tivoli Enterprise Portal user ID's and associated passwords MUST be defined on the hub computer.

This is where the userid and password needs to be set on the HUB TEMS O/S for this authentication to work:

Operating system of the hub monitoring server

Method of Tivoli Enterprise Portal password authentication

Windows

User operating system accounts

Linux and UNIX

Password files

z/OS

RACF, CA-ACF2, CA-TOP SECRET, or Network Access Method

You can check if you have this type of authentication active by reconfiguring the HUB TEMS component and checking the following settings on the first screen that appears. If the box next to "Security: Validate User " is selected, then it is enabled.

Note: If none of the options are checked "Security: Validate User" or "LDAP" then TEPS Authentication is in effect.

When you enable security on the HUB monitoring server, you have the option of selecting validation using LDAP, instead of the local registry for user authentication. The users you have created in the TEP are then mapped to the LDAP repository usernames and passwords. For this authentication to function correctly, the username in the TEP must match a user in the LDAP repository. The passwords are then authenticated against the information on the LDAP server.

NOTE: LDAP is not supported for hub monitoring servers on z/OS.

You can check to determine if you have this type of authentication active by reconfiguring the HUB TEMS component and checking the following settings on the first screen that appears. If the box next to "Security: Validate User" and also LDAP are selected, then it is enabled.

Check list of what to look for to resolve your issue:

The User ID is defined in the ITM infrastructure

Validate that the password is correct

Character length of password with TEMS Operating system / Validate User Authentication

1. Ensure the user ID is defined in the ITM infrastructure

The user ID you enter must match the user ID on the portal server, If the user ID does not exist then the user will not be able to log in. You can check this in two ways:

Log on to the portal server with a valid user ID and check the user that fails appears in the list. If it does not you will need to create it for access to be granted.

You can also check what users exist by reviewing the contents of the TEPS database. This is a good method if no user ID can log in. All portal users are stored in a table called KFWUSER. When you query the table, the column labled "ID" should match the user ID you are trying to log in with. If all users are missing including "sysadmin" then you may wish to investigate if any recent changes have occurred on the TEPS or it's database that could have caused the contents to be removed.

2. Check password is correct

The next step is to check that the password you are using is correct. The best way to test this quickly is to try and log in to the HUB TEMS host operating system, with the username and password you used when you attempted to log in to the TEP. If the username and password fails to authenticate, then you can try to reset the password for that account from within the operating system where the HUB TEMS is located.

Example for windows 2008:

1. Open the Local user and Groups window.

These steps ensure that the password you are using is correct and the same one that is listed on the operating system account on the server where the HUB TEMS resides.

3. Check character length of password if using TEMS Operating system / Validate User Authentication

If you are using TEMS Operating system / Validate User Authentication(as described above) then there is a 15 character password limit. Due to this restriction, the TEPS will only pass 15 characters of the password for validation when TEMS authentication is used. To rectify this issue you can update the password for the user to a maximum of 15 characters in one of the following locations at the HUB TEMS.

Operating system of the hub monitoring server

Method of Tivoli Enterprise Portal password authentication

Windows

User operating system accounts

Linux and UNIX

Password files

z/OS

RACF, CA-ACF2, CA-TOP SECRET, or Network Access Method

Next steps:
If all the above still did not resolve the issue, you may need to enable traces on the TEPS server to diagnose this problem further.

The recommended trace level would be:

ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)

This level of tracing will capture the SQL calls, the data calls and any information relating to the authorization that passes through the TEPS. This trace level will enable IBM Support to see any errors relating to the username and password failing as the request passes through the TEPS.

2. Edit to set the value for KBB_RAS1 as following and save it.
KBB_RAS1 = ERROR (UNIT:ctsql IN ER) (UNIT:ctdata IN ER) (UNIT:ctauth ALL)
(Caution : Make sure that the value of KBB_RAS1 is
not enclosed in any - single or double - quotes).

Recreate the problem
Once the trace has been set, restart the TEPS, then attempt to login to the TEPS and reproduce the error. Restarting the TEPS enables the new trace level.

Review the logs:
Then collect/review the last *_cq_* log files from the $CANDLEHOME/logs on the TEPS, as well as the ms.ini from the TEMS.

If you need to open a PMR with support we recommend you use the PDcollect utility and provide this collection with the PMR. PDcollect captures all the required logs as well as valuable system and environmental information required to diagnose your problem. You can use the link below for assistance in running PDcollect as well as all the command line options available to you.